PS-07 External Personnel Security
a. Establish personnel security requirements, including security roles and responsibilities for external providers;
b. Require external providers to comply with personnel security policies and procedures established by the organization;
c. Document personnel security requirements;
d. Require external providers to notify ps-07_odp.01 of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within ps-07_odp.02 ; and
e. Monitor provider compliance with personnel security requirements.
Parameter ID | Definition |
---|---|
ps-07_odp.01 | personnel or roles |
ps-07_odp.02 | time period |
Baselines
- L
- M
- H
- P
Guidance
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.
References 2
- SP 800-35 Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35.
- SP 800-63-3 Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020.
Related controls 12
- AT-02 Literacy Training and Awareness L M H P
- AT-03 Role-based Training L M H P
- MA-05 Maintenance Personnel L M H P
- PE-03 Physical Access Control L M H P
- PS-02 Position Risk Designation L M H P
- PS-03 Personnel Screening L M H P
- PS-04 Personnel Termination L M H P
- PS-05 Personnel Transfer L M H P
- PS-06 Access Agreements L M H P
- SA-05 System Documentation L M H P
- SA-09 External System Services L M H P
- SA-21 Developer Screening L M H P